New issue
Advanced search Search tips

Issue 706075 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Apr 2017
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: XSS issue Google.

Reported by gpruijss...@gmail.com, Mar 28 2017 
Hello,

I've discovered an XSS vulnerability. This is currently led to a nulledsoftware website as I've managed to stumble upon this. Please look into this!

https://www.google.com/url?sa=t&url=%68%74%74%70%3A%2F%2F%6E%75%6C%6C%65%64%73%6F%66%74%2E%72%75&usg=AFQjCNE2LEKxJ2KAF7OgetzkY1_7T9cb_Q&id=edevcimot

Comment 1 by gpruijss...@gmail.com, Mar 28 2017 

I've also attempted this with a different URL but failed to reproduce this. I have not created this XSS exploit myself, I stumbled upon. The URL is encoded although it still lets google direct directly to it without the warning message.

Comment 2 by elawrence@chromium.org, Mar 28 2017 

What leads you to believe this is an XSS issue? It appears to be simply a redirection through Google.com, where the redirect URL is %-encoded (HTTP becomes %68%74%74%70 etc)?

This wouldn't represent a security bug in Chrome, and Google.com does not consider open redirects a security bug: https://sites.google.com/site/bughunteruniversity/nonvuln/open-redirect

Comment 3 by elawrence@chromium.org, Mar 28 2017

Labels: Needs-Feedback

Comment 4 by elawrence@chromium.org, Apr 4 2017

Status: WontFix (was: Unconfirmed)
Closing due to lack of feedback. 

Google's overall vulnerability reporting program can be found here: https://www.google.com/appserve/security-bugs/m2/new?rl=&key=
Project Member

Comment 5 by sheriffbot@chromium.org, Jul 12 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment